The Cybersecurity Certification Journey with ioXt Alliance: "Secure today isn't secure forever"

Listen on Your Platform of Choice


#beyondthenow IoT security Podcast


David hosts Brad Ree, CTO of the ioXt Alliance, in this episode of the #beyondthenow IoT security podcast. They discuss cybersecurity certification, ioXt Alliance’s mission to make IoT more secure for consumers, and how the partnership between PSA Certified and ioXt Alliance is defragmenting the IoT security ecosystem.

Listen to a Sneak Peek

Regulations are ramping up more and more, you really don’t want to go it alone! When things go wrong with security (which they always will go wrong) you don’t want to be on your own. Be part of the herd and don’t be left behind.
Brad Ree


Key talking points in this episode:

  • Introduction to Brad Ree and IoXT Alliance. [01:00]: “We've got a group of leading technology manufacturers, retailers, ecosystem operators, and network operators, along with silicon providers to all look into addressing the core security concerns around consumer electronic devices, so that we can really remove those concerns, improve security, and ultimately increase the adoption rate of these connected devices in our lives. We built a security pledge, which is really our baseline security requirement. And from that, we've now launched and certified lots of devices ranging from light bulbs to cell phones to dog collars to connected buildings.”
  • A bit more about Brad’s career history. [02:20]: “On a personal background. I've been in communication systems for a long-time doing cable modems when those were first coming out. It’s really interesting if you look at, especially here in the United States, what you see is a whole bunch of us in the IoT industry started in smart grid. We were looking at all these use cases of doing load shifting of your washing machine and controlling thermostats and all of these early kinds of things that had the smell of smart home but were tied to national grids.”
  • The IoXT Alliance and why it was founded. [04:09] “When we formed the ioXt Alliance, the original kickoff meeting happened to be tied more into a sort of IoT think tank focused on ‘are we on track to ship billions of devices?’. And if not, what's in the way.”
  • We do have a shared vision to scale the market, unlocking issues. We obsess a lot about connectivity, cost, functionality but what about security?! [04:40]: “Having been on that IoT journey- I guess we've been on the IoT journey since it was called machine to machine- I think we all share the same vision of how to scale the market, how to kind of unlock that digital transformation. And I think that we kind of obsess a lot about connectivity. So a device has to be able to connect. We obsess a lot about its functionality, its cost but if you follow that logic security underpins everything. If you have a vision of a trillion connected devices, you better make sure you have some pretty good underpinning to deploy and scale.”
  • We need security that is strong, easy to deploy, scale globally, scale worldwide, and across the device spectrum. [05:41]: “The fun of the IoT is that there is a lot of different things in that T; lightbulbs to cell phones. What you want is security that is strong enough to prevent attacks, you definitely want it to be easy enough to be deployed, but it also has to scale globally. It has to scale from the smallest of microcontrollers to microprocessors running Android.”
  • Security certification for fire trucks! [06:40]: “One interesting story I'll share is we actually had a fire truck come through our certification program. It happened to be the communication systems for the firetruck but that was one of those interesting places where we do want strong security, but some of the accessibility, ultimately we just couldn't get it through our security pledge. As in that case you really can't have firemen calling the IT department to reset a password. So, there is this interesting boundary for what is secure enough for the application.”
  • Defining "good enough security" and setting bars that the industry can understand. [07:10]: “What we talk about is we're constantly reminding people, as we're working through standards and growing things into new markets, the specs have to be testable, scalable, and impactful to the consumer. On its surface, that sounds sort of apple pie, but it is sort of challenging. When we talk to customers it’s always ‘people should make security easy’. But how do you test that? How do you scale it to billions of devices?”
  • Who are customers of the IoXT Alliance? Plus the struggle of navigating upcoming IoT legislation. [08:15]: “Connected consumer products. That was the area that we originally focused on. Mostly because one, there were no industry-wide accepted standards for that space. There were a lot of companies doing the right things, but a couple of companies doing very wrong things and turning the entire industry, which was resulting in a lot of governments, starting to wake up to the scale and scope of these devices and starting to look at regulating. So where ioXt started in that smart home space was let's set industry standards from what the best practices of all of our large members are and help guide the regulators. So that there are reasonable regulations, right? One thing that we had in the United States is during this stage, each state can make up their own laws. Now the federal government hadn’t created too many guidelines. So you had California start with one law, but then you saw to the north of us, Oregon looked at our California law and said, oh, that's great, but I want to add something. And so we see a dozen or half dozen of these where each one is slightly different. So that's really where our goal is, to stop the fragmentation.”
  • Enabling devices that scale regulation. [10:30]: “We understand that Europe may have a slightly different focus than North America, but how do we build sort of an IoT passport for the manufacturers and help them work between all these? We're in a global environment, the ability to have hundreds or thousands of skews of each device to fit particular regional regulations is just not going to work. It's going to hold back or just kill the market in terms of how this plays out. Solving that is critical.”
  • About IoXT Alliance and how the scheme works. Explaining the profiles and the certification scheme. [11:00]: “What we do, we have our baseline requirement and then profiles. What the profiles are doing is trying to address the unique nature of a device or market. So one great example of a profile is we have a smart speaker profile and then the smart speaker manufacturers, they pointed out that there was like a laser attack on the MEMS microphone that allowed people to do nonverbal verbal attacks. Right. For that sector, they really cared about that. So their profile also includes optical shielding around the microphones. Then when you take your device with the profile, we do two types, either lab certification or we have a path of self-certification. But our self-certification, the unique thing that we do is we balance that with researcher rewards. So essentially we put out big bounties on the certification data. So it's a quicker path, but it's not just left to whatever someone says, it's balanced against what researchers find in the field. So there are those two pieces.”
  • QR codes replacing certification stamps. [12:56]: “We created a QR code that is our certification stamp. So as soon as you get certified, you get the stamp and code. But what we wanted to be able to do is allow consumers to see has anything changed? Have there been any extra threats? Have there been improvements? So we’ve taken the approach of a simple QR code that just labels you as it's certified, but then you can dig deeper and deeper into it, and it provides a way so that the average consumer can see it's certified, but those who want more information can keep digging down.”
  • Dynamic lifecycles of devices - you can’t ship and forget! Are manufacturers embracing this concept? [13:52]: “The device needs to be managed during its life cycle, from birth during its life cycle and the end of life. And in terms of how it's kept up to date, how it's been built with best practice. We have these eight principles, but in reality, they boil up to three things: security, upgradability, and transparency. And we really view these three sort of in a circle being linked together.”
  • Security isn’t a product it’s a process. Secure today doesn't mean secure forever. [15:00]: “I always remind people that security is not a product. It's a process. Just because you're secure today, doesn't mean that it's going to be secure forever. Because of that, you better have upgradability. Transparency to us means two things: One, we want consumers to know about the security of a device. Consumers do truly want secure devices. They just can't tell what's secure or not. The other side of the transparency though, is a channel for researchers, users, people like that to report vulnerabilities back.”
  • Collaboration in the ecosystem. IoXT Alliance and PSA Certified announcement: overcoming fragmentation. [17:10]: “We do fit well together because what ioXt Alliance is focused on is products and services. And when we're talking about products and services, it includes devices, but we even have some mobile application stuff that we're doing. But what we look at is that our original core pledge is a baseline. It's the minimum that companies should do to get into the market. As I mentioned, we also have these profiles that go above and beyond. Our baseline does not require a hardware Root of Trust because, in some connected low-end products, that was a bar that was probably above what some of the markets required. However, for any significant device that has any security or privacy, you've got to have trusted hardware. And that's where we looked around in the industry. We saw PSA certified. This was your bread and butter. So, it was one of those things where why create fragmentation, when we could just partner and inherit those test cases, where we require a hardware root of trust and secure boot, as long as you're PSA certified, you would be inherited through that process.”
  • The vision of PSA Certified and the Root of Trust (RoT). [19:50]: “Right from the inception of PSA certified, the vision has been effectively to align the chip industry in that vision of delivering a Root of Trust. How they achieve that, actually there are many ways, and they can differentiate around that, but having a Root of Trust in a consistent way that offers assurance. You trust your Roots of Trust and you anchor everything else from that. And I think that in the last couple of years we've seen momentum from the chip industry to align around that.”
  • PSA Certified helps to drive the understanding that a hardware Root of Trust actually means something and that we shouldn’t do it all in software. [21:20]: “The other thing that's great with the PSA certification is it helps drive where once again, I focus more consumer commercial, you guys focus on the chip vendors and the users of the chips. And what you really want to be able to do is provide to that group of people, some transparency around what was implemented. The hardware root of trust actually means something versus just doing it in software. Providing that boundary and market separation of those who have a hardware root of trust and provide secure silicon is very valuable and it just cuts the noise out in the market. You're solving the problems of the silicon for the engineer. And it's a great partnership.”
  • IoXT Alliance expanding into commercial lighting, smart buildings, and cellular IoT. [23:30]: “We've just this year expanded pretty heavily into commercial lighting and back to the fragmentation discussion that we were having. There was another standard here in the United States that deals with energy stimulus and they didn't have a security standard as part of their requirements. So they added IOST and a couple of others, which has caused this catalyst for the commercial building guys to start coming in and look at certification. So that's been a real large growth area for us. And also if you look at a lot of the folks who make things like smart plugs and connected bulbs and things like that, they tend to have a consumer and commercial aspect to their business. We were originally really formed to address the consumer electronics issue, but we've grown now into the smart building space and cellular IoT has been another real big growth area for us.”
  • What does it mean if a cell phone has IoXT certification (at a high level!). [24:05]: “It’s interesting what we did for that market because once again we created a profile and that profile addressed things like, you know, we have no universal password requirement, right? That's our baseline. And we measure the strength of stuff, but what's interesting is what is a password on a cell phone and a password on a cell phone is actually biometrics. So our certification says, how good are the biometrics? And the better that your biometrics are, the higher your level in that space is okay. So these are the kinds of things that we looked at it cause honestly, right, if you pick up a phone, how do you know how accurate that fingerprint scanner is? And so these are the kinds of things that, especially when you're talking about enterprise folks, if you're trying any sort of payment or authentication, these things matter to you quite a bit."
  • The growing awareness of security not being an afterthought, enabled by frameworks, APIs, etc.. [26:46]: “Security isn't an afterthought, it is built in from the beginning. And that is underpinned by the security services that the chip guys make available and then how those security services are picked up and used by developers. So actually the developers don't have to have a detailed under the hood understanding of security. They're picking up APIs, they're making use of secure services that are provided by the chip platform. And then under the hood, the chip guys have implemented trusted cryptography, secure storage, and key management. So that hierarchy enables this scaling.”
  • Brad’s one piece of advice: don’t go alone! When things go wrong (which they will) you don’t want to be on your own. Be part of the herd and don’t be left behind. [27:40] “It definitely is a process. You need to bring it in at the design. You can't add five pounds of security right before you ship-that doesn't work. It has to be part of your culture, part of your engineering practice. The other very critical thing is regulations are ramping up more and more. You don't want to go it alone. Because when things go wrong, and they will always go wrong. You really want to be following best practices. Your part of the herd, you don't want to be the guys left behind. From a security standpoint that is super critical.”

Related Links

Discover more about the regulatory landscape

Find out the true cost of IoT insecurity

Share this page

The PSA Certified name, PSA Certified logos, PSA Functional API Certified logo featured on this website are registered trademarks or trademarks of Arm Limited (or its subsidiaries) in the US and/or elsewhere. All rights reserved. Other brands and names mentioned on this website may be the trademarks of their respective owners.

Copyright © 2021 Arm Limited (or its affiliates). All rights reserved.

Sign Up To Stay Up to Date With Our Latest Podcasts Episodes